Amazon Fire TV Stick: A First Look 


Logan C. Morrison', Huw O. L. Read'?’, Konstantinos Xynos’, Iain 
Sutherland? 


‘Norwich University, Northfield, Vermont, USA 
?Noroff University College, Kristiansand, Norway 
3University of South Wales, Pontypridd, UK 
morrisonlc12@gmail.com, “hread@norwich.edu, iain.sutherland@noroff.no, 
kxynos@gmail.com 


Abstract 


This paper presents the results of a forensic acquisition and analysis study of a 
popular streaming media device, the Amazon Fire TV Stick. Although its primary 
functions include streaming videos and playing non-intensive video games, it is a 
reasonably powerful device running the Android operating system. This paper 
explores what additional capabilities are being developed in the hacking/enthusiast 
community and considers the implications such alterations to these devices may 
have in the field of digital forensics. Using an empirical assessment, the paper 
seeks to identify the potential for misuse and to provide recommendations to the 
investigator if they should find themselves analyzing such a device. 


Keywords: Embedded systems, data acquisition, Fire TV Stick, data extraction 


1. Introduction 


The concept of streaming media is 
commonplace to most users. As 
streaming services become more 
popular, the idea of cord cutting, or 
dropping cable TV subscriptions and 
replacing them with services such as 
media streaming, has taken hold 
(Evangelista 2015). Streaming service 
providers have responded to this 
with devices such as the Fire TV 
Stick. These devices bring streaming 
services to user’s TVs in an affordable 
manner. Over time, these devices 
have simply become more popular 
and current estimates show that over 
one-half of US homes have a TV 
connected to the Internet through 
one of these devices. It is also 
estimated that global shipments of 
these devices will increase from 240 
million devices in 2016 to 382 million 
devices by 2021 (Smith 2016). The 


rise of these devices has caused 
streaming media forensics to become 
its own specialist area, focusing 
around the specific challenges that 
these devices pose to forensic 
investigators. 

During the first quarter of 
2015, it was reported that there were 
4.5 million Fire TV devices currently in 
circulation, and that number has 
certainly grown since then (Terry 
2015). Amazon Fire TV Stick devices 
are included in this overall number. 
Currently, there is little 


information available concerning 
what information is stored on the 
Amazon Fire TV Stick, or how to 
acquire an image of the data in a 
forensically sound manner. This 
paper’s goal is to provide insight into 
what information exists on the 
Amazon Fire TV Stick that is of 
interest to forensic investigators, and 


to present a methodology that can 
be used by/provide guidance to 
forensic investigators analyzing these 
devices. 

This paper is arranged in the 
following manner. The Related Work 
section highlights some of the 
literature that helped shape the 
investigation. The Methodology 
section describes the experiment 
methodology used to discover the 
acquisition process and to discover 
what data is of importance. The 
Forensic Assessment section 
describes the different tests 
performed on and the forensic 
analysis of the Fire TV Stick. The 
Recommendations section presents 
the methodology for extracting 
useful information from the device. 
Lastly, the Summary section 
highlights conclusions from the 
research, and the Future Work 
section highlights potential follow on 
work for the future. 


2. Related Work 


Streaming media devices present 
unique challenges when it comes to 
accessing the data, as many seem to 
require hardware modifications in 
order for the data to be acquired. 
Some research concerning the 
forensic analysis and acquisition of 
data from streaming media devices 
has already been attempted, yet 
there has been little done with the 
Amazon Fire TV Stick. However, it is 
possible to learn about the types of 
challenges that may be experienced 
as well as potential acquisition 
methods by reviewing work on similar 
media streaming and other devices. 


Chromecast 

Previous work (van Bolhuis and Van 
Bockhaven 2014) provided an analysis 
of files contained within a crash 
report generated by the Google 
Chromecast. However, the method 
used to do this involves crashing the 
device, which causes major changes 
to the device itself and is thus not 
forensically sound. The greatest 
challenges faced by the researchers 
appear to be that the Universal 
Asynchronous Receiver/Transmitter 
(UART) connection provides minimal 
data and the encryption of the flash 
chip with a unique per device key. 
These make data acquisition and 
analysis rather difficult. However, 
analysis of the zip file allowed the 
layout of the NAND chip, useful 
timestamps, and data concerning 
streamed videos to be recovered 
(van Bolhuis and Van Bockhaven 
2014). 

Measy A2W Miracast 

The analysis of the Measy A2W 
Miracast, also conducted by (van 
Bolhuis and Van Bockhaven 2014), 
was of more interest due to the 
larger number of acquisition 


possibilities and the amount of useful 
data that could be recovered. 
Hardware experiments included 
accessing the UART interface by 
physically connecting several pins on 
the device’s main board. This allowed 
memory dumps, created using 
Hexdump, to be read out from the 
device. However, using the UART 
interface can change the memory and 
is not forensically sound. Experiments 
using the device firmware’s curl 
binary showed that files can be posted 
to a Wi-Fi enabled server, but this 


is inconsistent and unreliable. The 
experiment focusing on imaging the 
NAND flash chip conducted by (van 
Bolhuis and Van Bockhaven 2014) 
discovered that the NAND chip 
could be imaged effectively, and in 
a forensically sound manner, using 
specific toolkits and a write 
blocker. Some work using Netcat 
listener to acquire files over Wi-Fi 
was also conducted. 

The researchers were able to 
recover MAC addresses, links, image 
files, URLs, firmware data, 
timestamps for device usage, WPA2 
passwords, and SSIDs_ using the 
toolkits, and techniques such as file 
carving (van Bolhuis and Van 
Bockhaven 2014). This work was of 
interest due to its presentation of: 
multiple methods for acquiring a 
streaming media device, a 
forensically sound manner of 
acquisition, and challenges that can 
arise while working with these 
devices and potential methods to 
overcome them. However, some of 
the methods in use still present 
extreme risks that may keep them 
from being of use to forensic 
investigators, including the 
possibility of bricking the device. 


Amazon Kindle Fire HD 

The research conducted by (Iqbal, 
et al. 2014) was of particular 
interest due to the similarities 
between the Kindle Fire HD and 
the Fire TV Stick. Both of these 
devices run Amazon’s Fire OS and 
utilize an EXT4 file system. 
Therefore, it was suspected that 
methods/ideas used against the 
Kindle Fire HD would be useful for 
the Fire TV Stick as well. The 
Active Power Cable experiment used 
a modified USB cable to gain root 
access and the Android Debug 


Bridge (ADB) to image the userdata 
partition. The qemu automated root 
exploit experiment used a qemu 
exploit to gain root access and then 
used ADB to image the user partition. 
An analysis of the userdata partition 
showed that app data, user data, 
photos, browsing data, audio data, 
cloudsync status, and other useful 
data could be recovered (Iqbal, et al. 
2014). 

This work pointed us toward 
focusing our acquisition and analysis 
efforts on the Fire TV _ Stick’s 
userdata partition. It also 
demonstrated the necessity of having 
root access to the device in order to 
access the partition, along 


with the challenges we were likely 
to face in attempting to do this. 
However, these methods require that 
USB debugging be enabled on the 
device in order to work, which poses 
an issue for investigators who come 
across devices where this is disabled. 
Enabling USB debugging may require 
the modification of the device and 
thus may potentially harm the 
forensic soundness of these methods. 


3. Methodology 


Forensic soundness is extremely 
important for any methodology used 
for information/data extraction, 
especially if it may be relied on in a 
courtroom setting. Forensic 
soundness focuses around 
limiting/eliminating changes made to 
the device before and/or during data 
extraction. Thus, all tests and 
experiments performed on the Fire 
TV Stick were carried out with 
specific attention paid to this 
requirement. 

An initial study of relevant 
literature and of the Fire TV Stick’s 
functionality was performed in order 
to identify potential methods and 
areas that a digital investigator may 
wish to use/examine. The paper on 
Amazon Kindle Fire HD Forensics by 
(Iqbal, et al. 2014) was extremely 
useful when identifying which areas of 
the device to analyze/focus on. The 
study of the Fire TV Stick involved 
reviewing lists of its supported 
functionality, as well as powering on 
the device and going through the 
various menus to see what kinds of 
artifacts may be contained on the 
device. The focus was to identify what 
functionality would be employed by a 
“typical” user, what applications 
would typically be used to employ the 
different functionalities, and where 


artifacts of the user’s actions would be 
located on the device. Eventually, it 
was identified that the userdata 
partition would be the most likely 
location to find artifacts of user 
actions. A list of features to be 
employed in the fashion of a “typical” 
user, and the applications associated 
with these features was also 
generated. The features/apps to be 
employed are listed below: 
@ Video streamingthrough 
Netflix, YouTube, and Amazon 
free content 


Music streaming through 
Spotify & Pandora 

Gaming through Amazon’s app 
store 

Uploading/viewing photos 


through Amazon’s Cloud Drive 
App downloading through 
Amazon’s app store 
Side loading Android apps not 
found in Amazon’s app store 
through ADB 
Experiment Methodology 
The experiment methodology was 
developed by exploring the 
functionality employed, the locations 
of userdata storage, the state of the 
Fire TV Stick, and different physical, 
logical, and manual acquisition 
options. The goal was to determine 
if it was possible to retrieve data 
generated by the different features 
and applications. This involved 
performing “typical” user actions 
with these features and apps, in 
order to introduce the data and see 
if it could be retrieved later on. 
Towards the end of the experiment, 
a new software update became 
available for the Fire TV Stick. This 
update caused issues with some of 
the acquisition methods, and, due to 
time restrictions, this update and its 
effects could not be fully explored. 
The experiment methodology 
followed the general outline detailed 
in brief below: 

@ Record the state of the Fire 
TV Stick (New out-of-the-box, 
with/without USB debugging 
enabled, with/without root, 
before/after user actions, etc.). 

@ Identify the physical, logical, 
or manual method being 
tested (ADB imaging with root, 
logical imaging using a 
Python script and ADB, 
recording the menus, etc.). 

@ Activate the video capture 


device and record the time. 
Power on the Fire TV Stick 
and record the time. 
Systematically move through 
the different 
features/applications to be 
employed and record the 
corresponding times. Record 
what content was involved 


in this employment for 
potential identification 
later. 

@ Power off the Fire TV Stick, 
stop the video capture, and 
record the times. 

@ Employ the method being 
tested and attempt to create an 
image of the Fire TV Stick. 
Record the success or failure 
specifics of the method. 
Record information about the 
image(s) created by the 
method. 

@ Explore the generated image(s), 
if the method was successful, 
in order to identify artifacts of 
user actions and system 
information. FTK Imager 
v.3.4.0.1 and AccessData 
Labs v.5.1 were used to do 
support these functions. 

Test Data 

The Fire TV Stick is designed to be 
registered to a specific Amazon 
account in order to access Amazon 
content. An Amazon account was 
created for the device under the 
name “Fire Stick”. A gaming profile 
was also created locally on the device 
under a pseudonym. The authors 
accounts for Netflix, Pandora, and 
Spotify were used in order to test 
the video and music streaming 
features. 

To assess video- streaming 
features, Netflix and YouTube apps 
were installed and accessed. The 
Netflix app was then used to stream 
the first 10 minutes of movies/TV 
shows including: House of Cards 
Season 1, Ep 2, Pulp Fiction, V for 
Vendetta, and Family Guy Season 13, 
Ep 19. The YouTube app was used to 
also stream several sample videos. 
Lastly, Amazon’s free streaming 
video content was used to stream 


Doomsday Preppers Season 1, Ep 1 
and Alaska State Troopers Season 1, 
Ep 1. 

Assessment of the music- 
streaming feature involved the 
installation of the Spotify and Pandora 
apps. Spoitfy was used to stream 
music by Pink Floyd, Zac Brown 
Band, and 


James Bay. The Pandora app was 
used to stream music from a “Hard 
Rock” radio station, including music 
by Breaking Benjamin and Five 
Finger Death Punch. 

The gaming feature was 
assessed by first setting up a local 
gaming profile on the Fire TV Stick. 
This profile was setup and named 
automatically, without direct action 
by the user. It appeared once the 
first game had been downloaded to 
and launched on the system. 
Amazon’s app store was then used to 
download two games, “Flappy Birds 
Family” and “Crossy Road”. These 
apps were then launched 
individually and two rounds of the 
game were played on each. 

In order to assess the photo 
uploading and viewing feature 
through Amazon’s Cloud Drive, a 
free trial for Cloud Drive was 
started using the Fire Stick Amazon 
account and an email address. 
Photos were then uploaded using 
the Fire Stick account, the Cloud 
Drive website, and a workstation. 
Once the photos were successfully 
uploaded, they were viewed through 
the Fire TV Stick’s photo tab. The 
photo tab was then used to view the 
“Test” and “Favorites” albums and to 
add photos to these albums. 

Amazon’s app store and the 
app downloading feature were 
assessed by downloading additional 
apps. The NBC and HBO Go apps 
were downloaded from the app store 
in order to assess this feature. The 
idea behind this was to see what 
kind of information could be 
recovered concerning apps that were 
downloaded but never used. 

The side loading of Android 
apps from sources other’ than 
Amazon’s app store was assessed 
using ADB and the ES File 


Explorer app. The ES File Explorer 
app was used to download Kodi, the 
newer version of Xbox Media Center, 
directly from its download page. This 
was done by creating a Kodi favorite 
tab to navigate to the web page and 
then using the remote to navigate the 
page. Kodi was then launched to 
ensure that it worked properly. 
ADB’s install command can be 
used from a 


workstation to obtain downloaded 
Android APK files and install them 
onto the Fire TV Stick. This method 
was used to install the Firefox and 
Google Chrome web browser apps. 
These apps were then launched to 
ensure that they worked properly. 
The web browsers were used to 
navigate and log in to Facebook 
using my personal credentials, and 
my page was navigated using the 
remote. 


4. Forensic Assessment 


Different tests were devised and 
conducted to assess the ability of a 
forensic investigator to acquire an 
image of and identify artifacts of user 
actions/device information on a Fire 
TV Stick. The test data discussed in 
the Experiment Definition section was 
introduced at different times 
throughout the testing process. 


ADB Extraction Test (No root 
permissions) The ADB pull 
functionality was employed to create 
an image of the userdata partition. 
The test began by powering on the 
Fire TV Stick, setting it up, enabling 
USB debugging, and powering off the 
Fire TV Stick. The experiment then 
involved removing the device from 
the TV it was connected to and 
connecting it to a Windows 
workstation. An ADB server was then 
started on the workstation and a 
connection was established with the 
Fire TV Stick. ADB’s mount command 
was then used to identify the 
location of the userdata partition. 
Once identified, the ADB pull 
command was used to attempt to 
image the partition but failed due 
to a lack of root permissions. The 
dd command was also used to 
attempt this but failed for the same 
reason. Thus, this test failed to 


extract an image from the device and 
therefore could not be used to identify 
useful information on it. 

UFED Touch Test 

Cellebrite’s UFED Touch v.1.9.0.130 
was used to attempt to take physical, 
logical, and file system extractions of 
the Fire TV Stick. Research 
conducted by Jacob Horowitz showed 
that a physical extraction of the 
Amazon Kindle Fire HDX could be 
taken using Cellebrite’s UFED Touch 
Ultimate (Horowitz 2014). Due to the 
fact 


that the devices use a similar OS, it 
was believed that this method might 
work for the Fire TV Stick as well. 
The experiment involved connecting 
the Fire TV Stick to the UFED 
Touch and working through its 
menus to attempt to take a logical, 
physical, or file system extraction of 
the device. However, the version of 
the UFED Touch available at the 
time of writing was unable to 
properly recognize or read the Fire 
TV Stick. 

Python Script Test (No root 
permissions) 

This experiment involved the 
creation of a bespoke Python 
script that would take a logical 
image of the Fire TV Stick using 
ADB’s functionality. Komodo edit 9, 
Python 3.5, and the pyadb module 
were used to create the script. The 
script itself used native ADB 
commands to extract/pull all of the 
files that it can, creates hashes before 
and after file transfer (MD5 is available on 
the FireStick without any additional 
modification) compares the hashes, 
recreates the directory structure, 
and then stores all of the original 
timestamps for the files it is able to 
access. After several test runs and 
modifications, we were able to use 
the script to successfully create 
logical images of the Fire TV Stick 
before and after the test data was 
added. 

We used FTK Imager v.3.4.0.1 
to analyze the images created by the 
script. The file structure of the 
image created after the test data 
had been added is included in Figure 
1. 


(@ image-4_1_2016 (After user actions, after fix) 
=e C:\Users\Logan\Documents\Digital Forensic 
+) acct 
O cache 
© config 
(© data 
(© dev 
© mnt 
© res 
© root 
© sbin 
H- storage 
+- system 
© tmp 
Figure 1: File structure of the test data 
image produced by the Python script 


F 


F 


An analysis of the image showed that 
some artifacts of user actions could 
be recovered. These artifacts 
included: 


@ Remnants of the side loading 

process for Kodi, 

@ A list of installed apps, 

@ Files/APKs associated with 

installed apps, 

@ App thumbnails, & 

@ APK files for side loaded apps. 
The analysis also discovered some 
system information including: 

@ The device’s language setting & 

@ APK/ODEX files for background 
apps. However, there were a few 
issues with this image. First, many 
useful data and artifacts of user 
actions came from having the ES File 
Explorer app installed on the 
device. If this were not installed on 
the device, most of what was found in 
the image would not be there. Second, 
the data directory was unable to be 
extracted due to permissions issues 
(root required). This directory is where 
much of the useful user data is stored 
on the device. 

Rooting Test 

This experiment was designed to 
address the issue of not having root 
permissions on the Fire TV Stick, 


which stopped us from accessing 
areas of the device that were likely to 
contain the most useful information. 
This involved the use of KingRoot 
v.4.8.5. Through an article on 
AFTVnews.com, we discovered that 
Fire OS 

v.5.1.5 on the first 
generation Fire TV and the 
Fire TV Stick could be rooted 
using the KingRoot automatic 
rooting app (AFTVnews 2016). 
Thus, we downloaded a copy of 
KingRoot’s APK to a 
workstation and used ADB’s 
install command to install it on 
the Fire TV Stick. However, we 
discovered that KingRoot’s 
GUI is designed to work with 
a mouse and not the Fire TV 
Stick’s remote. Therefore, we 
needed to connect a Bluetooth 
mouse to the Fire TV Stick to 
run KingRoot. After a few 
attempts, we successfully 
rooted the Fire TV Stick and 
side loaded the SuperSU APK 
using ADB install. Using a 
Windows workstation, an ADB 
connection was established to 
the Fire TV Stick and the su 
command was run, successfully 
gaining root permissions on the 
device. 

After gaining root 
permissions, we modified the Python 
script so that it would use them when 
attempting to extract files. We ran 
into issues with the ADB get remote 
file command and due to this, which 
were alleviated when we changes our 
acquisition Workstation from 
Windows to Linux. 


ADB Extraction Test (Root 
permissions) Having root 
permissions on the device 
significantly eased the challenges 
encountered during the prior ADB 


extraction method. Therefore, we 
chose to reattempt the test with root 
permissions to see if we could 
produce an image which included 
the userdata partition. The 
experiment began by starting an 
ADB Server with root permissions on 
an Ubuntu machine. A connection 
was then established to the Fire TV 
Stick and the ADB mount command 
was used to locate the userdata 
partition. We then navigated to its 
location and ran the su command to 
gain root permissions. From there 
the chmod command was used to 
provide temporary (until reboot) 
world-read permissions on the 
userdata block. The ADB pull 
command was used and successfully 
created an image of the Fire TV 
Stick’s userdata partition. Two 
images were created using this 
process: a test image created while 
initially working out the process 
and an image after initial test 
data was added. After adding 
further test data, we attempted to 
create another image but an 
automatic software update rendered 
the current version of KingRoot 
incapable of rooting the Fire TV 
Stick. Thus, we were unable to obtain 
an image at this point; although an 
investigator would not put sucha 
device online during live casework, 
we needed connectivity to generate 
test data to assess the Fire Stick. 
However, we were able to 
continue analysis using 
the image taken with 
initial test data. 

We used AccessData Labs 
v.5.1 to analyze the images created 
using the ADB pull method. The file 
structure of the test image created 
after the test data had been added 
is included in Figure 2. 


=--> [e] Evidence 

= Q) test image.raw 
=> hs NONAME [ext4] 
=) > root] 


> app-private 
(© dalvik-cache 

> data 

> datadib 

C> debug_service 
C> diag 

(> dontpanic 

+) >( drm 

C> DxDrm 

> hwval 

C> key_provisioning 
-C> local 

C> lost+found 

> media 

> mediadrm 

> misc 

C> playready 

C> proffiine 


H- 


fe) 


(> resource-cache 
+ © securedStorageLocation 
(> securestop 

> security 
E © sfs 
+- system 
C> tombstones 
C> user 
C> vitals 

C> webcrypto 

OOG [unallocated space] 


Figure 2: File structure of the userdata 
image produced by the ADB extraction 
method (after the addition of test data) 


An analysis of the image showed 
that a large amount of useful 
information could be recovered. 
Artifacts of user actions that could 
be recovered included: 

@ Images uploaded to Cloud 
Drive by the user, 
A list of Bluetooth devices 
paired with the Fire TV Stick, 
App authorization information, 
The name of the registered 
Amazon account, 
A list of installed app packages, 
A list of “favorite” apps, 
A list of recommended apps, 
Device user accounts, 


A list of side loaded apps, 
Last accessed & modified times 
for apps, 
Amazon Prime music 
information, 
Gaming profiles on the device, 
Spotify login credentials 
(username and password 
hash), 
Browser history, 
A full list of installed apps, 
Remnants of the side loading 
process for Kodi, & 

@ Kodi user data. 
The analysis also discovered some 
extremely useful system information 
including: 

@ The private encryption key 
used by ADB, 
SSHDroid’s default credentials, 
The main amazon, events, 
and system logs, 
Device settings, 
The OS version, 
OS & software pending and 
published updates, 
App package’s sync hashes, 
The device name, 
Country & time zone 
information, 
Security settings, 
SSHelper’s version and 

default password, 

KingRoot rooting logs, 
The Bluetooth adapter’s MAC 
address, 
Wi-Fi network information, 
The log of recently running 
processes, & 
Device usage statistics (Daily, 
weekly, monthly, & yearly). 


While the images produced using the 
ADB extraction method proved to be 
extremely useful, there are a few 
issues with the process. First, the 


process requires that the permissions 
be changed on the partition in order 
to use ADB pull to extract it. Thus, a 
change must be made to the system, 
which is certainly not ideal to the 
overall forensic soundness of the 
process. Upon close inspection, 
KingRoot was not found to have made 
significant changes to the userdata 
partition; this will need to be 
reassessed for each and every future 
root/exploit method released. Forensic 
soundness is still preserved during 
extraction as the userdata partition is 
only granted world-read, not world- 
write. These permissions reset after 
the device is rebooted. Thus, ADB 
cannot modify the data during a pull 
operation. 

Manual Acquisition Test 

In the event of seizing a device that 
cannot be rooted; we performed 
further experiments using manual 
extraction of data. This process 
involves using more traditional means; 
video recording, photos, and note- 
taking to capture and analyze the 
menus visible to a regular user. The 
test began by powering on the Fire 
TV Stick and recording the time. We 
then proceeded through all of the 
menus/pages that are normally visible 
to a user, starting with the “Home” 
tab. Each tab/menu’ was fully 
documented before proceeding to the 
next tab. An example of one of the 
photos used to document the Fire TV 
Stick’s “Home” tab can be seen in 
Figure 4. 


Shans 


Figure 4: Fire TV Stick's Home tab with recent 
activity feed highlighted 


An analysis of the  videos/images 
showed that a large amount of useful 
information related to the 

test data could be recovered. 
Artifacts of user actions that could 

be recovered included: 

Recently accessed apps/content, 
Games downloaded by the user, 
The user’s gaming profile, 

A list of apps downloaded by 
the user (Side loaded apps are 
distinguished by a “This app 
was not downloaded from 
Amazon” message), 

@ Amazon Prime music/account 
content, 

@ The user’s Amazon Cloud 

Drive images/albums, 

@ Metadata for Cloud Drive 
images (Name, taken & 
uploaded timestamps, 
dimensions, etc.), 

@ The email address associated 
with the registered user’s 
Amazon account, 

@ Bluetooth devices synced with 
the Fire TV Stick, 

@ A full list of installed apps with 
metadata (Version, size, 
storage, etc.), & 

@ The name of the registered 
Amazon account. 

The analysis also discovered some 
extremely useful system information 
including: 


The device name, 
Amazon remote, game 
controller, & other Bluetooth 
device info (Name, version, 
serial number, etc.), 
The device’s storage capacity, 
The OS/software version, 
The serial number, 
Current date & time on device, 
The SSID of the 
connected Wi-Fi network, 
The device’s IP address, 
The Wi-Fi adapter’s MAC 
address, 
The number of 
controllers/Bluetooth devices 
connected, 
System update timestamps, 
Available Wi-Fi networks, 
The location zip code, 
Country & time zone 
information, & 

@ Language settings. 
However, this acquisition method is 
the least preferable as it requires 
the device to be analyzed live, 
resulting in changes to the system. 


5. Recommendations 


In order to acquire an image of the 
Amazon Fire TV Stick, a forensic 
investigator should carry out the 


following: 
1. Start an ADB server with root 
privileges on an Ubuntu 


workstation. Then download the 
KingRoot and SuperSU APKs to 
the workstation. 

2. Activate the video capture device 
and record the time. 


3. Connect the Fire TV Stick to an 
HDMI enabled monitor/TV and 
power on the device. 

4. Navigate to the Settings tab on 
the Fire TV Stick, and locate the 
“USB debugging” and “Allow 


apps from unknown developers” 
options. Enable both of these 
options if they are disabled. 

5. Use ADB’s install command to side 
load the KingRoot and SuperSU 
APKs onto the Fire TV Stick from 
the Ubuntu workstation. Connect 
a Bluetooth mouse to the Fire TV 
Stick and launch KingRoot. Run 
KingRoot until the Fire TV Stick is 
successfully rooted. Then launch 
SuperSU and select the option 
that tells KingRoot to allow it to 
have root privileges. 

6. Establish an ADB shell connection 
to the Fire TV Stick and use the 
mount command to determine 
which _ partition/block device 
stores user data. 

7. Navigate to the  /dev/block 
directory and locate the 
partition/block device. 

8. Use the su command to gain root 
privileges and change the 
permissions of the _ userdata 
partition to allow world read 
using chmod 775. 

9. Exit the device and use ADB’s pull 
command to create an image of 
the partition and pull it onto the 
workstation. 

10.Power off the Fire TV Stick and 
video capture device, record the 
times of both actions. 


6. Summary 


The proposed method for imaging 
the Fire TV Stick would allow digital 
investigators to perform an analysis 
of the device. Alterations to the 
device have been kept to a minimum 
and efforts have been taken to 
minimize/eliminate alteration of the 
data. Thus, the method maintains the 
majority of the data’s integrity and 
can be considered semi- forensically 
sound. 


Whether or not a particular Fire TV 
Stick can be imaged successfully 
using this method is entirely 
dependent on its OS/software 
version. It is possible to use 
KingRoot to root Fire TV Stick 
devices that are running Fire OS 
v.9.0.5.1 or lower, and is thus 
possible to acquire an image of these 
devices using this method. Devices 
running Fire OS/software versions 
above version 5.0.5.1 cannot be 
rooted using the current version of 
KingRoot at the time of writing. Thus, 
it is not possible to acquire an image 
of them using the proposed method. 
The Amazon Fire TV Stick does 
contain recoverable information that 
is of interest to a forensic 
investigator. The device contains 
recoverable artifacts related to the 
user’s activity on the system. 
It is also possible to recover useful 
information about the device itself 
including: 
Further challenges will be faced 
when it comes to the issue of rooting 
the Fire TV Stick. The constant 
fear of automatic Fire OS 
updates and loosing the potential 
to root will require careful 
consideration to ensure’ update 
servers have been blocked by a 
firewall, or work is conducted in a 
faraday cage environment. 


7. Future Work 


Downgrading the software/firmware 
on the Fire TV Stick has the 
potential to make the device 
rootable using KingRoot. However, 
doing so was not tested, and neither 
was the potential effects on the data 
stored on the device. Thus, further 
experimentation needs to be 
conducted before forensic 
investigators attempt this on live 


casework. 

This paper focused on what 
could be retrieved from the device 
itself; although we did obtain a few 
packet captures of traffic to the 
device, a more detailed network 
forensics investigation is required. 
Furthermore, The Fire TV Stick has a 
companion app that is produced by 
Amazon. The Fire TV Stick Remote 
App is used to turn your smartphone 
into a remote that can control the 
device. It provides voice search, 
navigation, playback control, and 
keyboard text entry features (Amazon 
Mobile LLC n.d.). While this app is 
simply used to control the device, 
analyzing the interactions between it 
and the Fire TV Stick may provide 
some useful information. Future 
research should consider analyzing 
the app itself as well as its interactions 
with the Fire TV Stick to determine if 
any forensic artifacts are retrievable. 

Finally, new streaming 
services and applications will 
continue to emerge as streaming 
media devices become more 
popular. These services may provide 
other useful artifacts of interest to a 
forensic investigator, or provide new 
means for analyzing the Fire TV 
Stick. Future research should 
consider the implications that new 
services may have on this device. 


8. References 


AFTVnews. 2016. Fire OS 5 on the 
Amazon Fire TV 1 and Fire TV 
Stick can be Rooted. February 
20. Accessed May 7, 2016. 
http://www. aftvnews.com/fire- 
os-5-on- the-amazon-fire-tv-1- 
and-fire-tv-stick- can-be- 
rooted/. 

Amazon Mobile LLC. n.d. Amazon Fire 
TV Remote App. Accessed May 


7, 2016. 
https://play.google.com/store/a 
pps/det ails? 
id=com.amazon.storm.lightnin 
g.clie nt.aosp&hl=en. 

Cushing, Tim. 2014. Amazon Fire TV 
Firmware Update Bricks 
Rooted Devices, Prevents 
Rollback To Previous Firmware 
Versions. December 5. 
Accessed May 7, 2016. 
https://www.techdirt.com/articl 
es/201 
41128/08291529271/amazon- 
fire-tv- 
firmware-update-bricks-rooted- 
devices- prevents-rollback-to- 
previous- firmware- 
versions.shtml. 

Evangelista, Benny. 2015. Cord cutting 
accelerated in 2015, on track to 
continue next year. December 
31. 
http://www.sfchronicle.com/busi 
ness/a rticle/Cord-cutting- 
accelerated-in-2015- on-track- 
to-6730696.php. 

Fairbanks, Kevin D. 2012. "An analysis 
of Ext4 for digital forensics." 
Digital Investigation 9, The 
Proceedings of the Twelfth 
Annual {DFRWS} Conference. 
Trumansburg, NY: Digital 
Forensics Research Workshop. 
$118-S130. 

Horowitz, Jacob. 2014. Kindle Fire HDX 
Forensics. April 15. Accessed 
May 7, 

2016. 
http:// 
kindlefirehdxforensics.blogspot. 
c om/. 

Iqbal, Asif, Hanan Alobaidli, Ibrahim 


Baggili, and Andrew Marrington. 


2014. "Amazon Kindle Fire HD 
Forensics." In Digital Forensics 
and Cyber Crime, Volume 132 
of the series Lecture Notes of 


the Institute for Computer 
Sciences, Social Informatics and 
Telecommunications 
Engineering, by Pavel 
Gladyshev, Andrew Marrington 
and Ibrahim Baggili, 39-50. 
Springer International Publishing. 


Jovanovic, Zlatko. 2012. Android 


Forensics Techniques. 
International Academy of 
Design and Technology. 


Leung, Kenny. n.d. About 


Samsung's Knox Counter. 
Accessed May 7, 2016. 
http://androidfact.com/abou 
t- samsungs-knox-counter/. 


Smith, Jessica. 2016. Here's why 


consumers are increasingly 
turning to streaming media 
devices to view content. March 
17. 

Accessed May 6, 2016. 
http://www. businessinsider.com/ 
the- streaming-media-device- 
report-market- 


forecasts-top-players-and- 
consumer- viewing-trends- 
that-will-shape-the- market- 
2016-2. 

Srinivas. 2014. Getting Started with 
Android Forensics. August 20. 
http://resources.infosecinstitute 
.com/g etting-started-android- 
forensics/. 

Terry, Nick. 2015. Amazon Fire TV 
Takes 30% Of The Streaming 
Market. June 5. 

Accessed May 6, 2016. 
http://www.androidheadlines.co 
m/201 5/06/amazon-fire-tv- 
takes-30- streaming- 
market.html. 

van Bolhuis, Peter, and Cedric Van 
Bockhaven. 2014. Forensic 
analysis of Chromecast and. 
University of Amsterdam. 


